Mark Pribish

43% of Breaches Affect Small Businesses: 2019 Verizon Data Breach Report

By Mark Pribish
Vice President and ID Theft Practice Leader

In the just released 2019 Verizon Data Breach Investigations Report (DBIR), Verizon found that 43% of data breaches happened to small businesses and that a third (32%) of breaches involved phishing.

For 11 years, the Verizon report has provided a very insightful view on the evolving threat landscape and this year is no different.

While the report is built upon the analysis of 41,686 security incidents and 2,013 confirmed data breaches, the Verizon DBIR digs into the overall threat landscape and the actors, actions, and assets that are present in breaches.

This article titled 2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways (please see here) highlights 12 key takeaways including:

DBIR 2019 Key Takeaways

  • Financial gain remains the most common motivate behind data breaches (71%)
  • 43% of breaches occurred at small businesses

Phishing Phunny!

  • A third (32%) of breaches involved phishing
  • The nation-state threat is increasing, with 23% of breaches by nation-state actors
  • More than half (56%) of data breaches took months or longer to discover
  • Ransomware remains a major threat, and is the second most common type of malware reported
  • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
  • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
  • Espionage is a key motivation behind a quarter of data breaches
  • 60 million records breached due to misconfigured cloud service buckets
  • Continued reduction in payment card point of sale breaches
  • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

The most interesting takeaway from the Verizon report for me is the way cyberattackers infect a computer network and that is where executives are "six times more likely to be a target of social engineering than they were only a year ago; and, C-level executives are 12 times more likely to be the target."

This means that Business Email Compromises (BEC) are proving successful for ID theft criminals and cyber thieves.

Verizon stated that BEC related data breaches represented 248 confirmed breaches out of the 2,013 confirmed data breaches or 18.3 percent. In addition, Risk Based Security recently announced the release of its Q1 2019 Data Breach QuickView Report highlighting how over 1,900 data breach events — exposing over 1.9 billion records — were reported in the first three months on 2019.

According to Risk Based Security, "no other first quarter has seen this level of activity, putting 2019 on pace to be yet another ‘worst year on record’ for the number of publicly reported breaches."

The report found "that 67.6% of records compromised in Q1 were due to exposure of sensitive data on the Internet."


To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


BBB Tip: Phony Debt Collection

By Better Business Bureau. April 12, 2019.

Debt collection scams are one of the most frightening and persistent scam types. Victims often report that scammers harass them for weeks or even months, both at home and at work, trying to get them to pay a debt they don’t even owe. However, BBB is receiving increasing reports that con artists have recently changed their tactics. Many scammers have switched from "bad cop" to "good cop." Below is information about both versions of the scam.

How the Scam Works:

The scammer calls and tells you that they work for a loan company, law firm or government agency, and claims to be collecting an overdue payment. When you reply that you don’t owe money, the "debt collector" starts to make threats of suing you, having your wages garnished, arresting you, or forcing you to appear in court thousands of miles from home.

Despite the threats, these "debt collectors" don't have any legal power. In most cases, the alleged overdue loan doesn't even exist. Don't give in and pay money you don't owe. If you do, the scammer will likely be back for more.

The "Good Cop" Version:

You receive an unsolicited call from a debt collection agency. The caller claims you have an old unpaid debt that is about to go to court. The person who speaks with you is polite and appears to have your best interests at heart. They seem like they sincerely want to help you avoid going to court. To fix the situation, all you need to do is make a reasonable payment, perhaps even divided up into several installments.

No matter how kind the caller seems, don’t fall for it. If you make the payment, the person you spoke to on the phone will take the money and disappear. Any future efforts to contact them will be in vain.

Tips to Spot This Scam:

  • Ask the debt collector to provide official "validation notice" of the debt. In the U.S. and most of Canada, debt collectors are required by law to provide this information in writing. The notice must include the amount of the debt, the name of the creditor, and a statement of your rights. If the self-proclaimed collector won't provide the information, hang up.
  • Ask for more information. If you do owe money and aren’t sure if the caller is real, ask for their name, company, street address, and telephone number. Do not provide any bank account, credit card, or other personally identifiable information over the phone. If the collector is legitimate, they should have details on the accounts in question.

Protect Yourself:

  • Just hang up. If you don’t have any outstanding loans, hang up. Don’t press any numbers or speak to an "agent."
  • Check your credit report. In the US, check with one of the three national credit reporting companies (Equifax, TransUnion, Experian). In Canada, check with Equifax Canada. This will help you determine if you have outstanding debts or if there has been suspicious activity.
  • Place a fraud alert on your credit report. If the scammer has personal information, place a fraud alert with the three national credit reporting companies.

For More Information

Read this article from the Federal Trade Commission about dealing with fake debt collectors.

To learn more about other kinds of scams, go to BBB.org/ScamTips.

If you've been targeted by this scam, help others avoid the same problem by reporting your experience at FTC.gov/Complaint and BBB.org/ScamTracker.

If you believe your identity has been stolen, call 866.SMART68 today!